Certbot: "Failed authorization procedure"

Lelo · 1 January 2025 14:04

Creating a bug report/issue

I have searched the existing open and closed issues

Required Information

DietPi version | cat /boot/dietpi/.version
G_DIETPI_VERSION_CORE=8
G_DIETPI_VERSION_SUB=25
G_DIETPI_VERSION_RC=3
G_GITBRANCH=‘8’
G_GITOWNER=‘MichaIng’
Distro version | echo $G_DISTRO_NAME $G_RASPBIAN
buster 1
Kernel version | uname --all
Linux DietPi-AdguardHome 5.10.103+ #1529 Tue Mar 8 12:19:18 GMT 2022 armv6l GNU/Linux
Architecture | dpkg --print-architecture
armhf
SBC model | echo $G_HW_MODEL_NAME or (EG: RPi3)
RPi Zero (armv6l)
Power supply used | (EG: 5V 1A RAVpower)
5V 1A RAVpower
SD card used | (EG: SanDisk ultra)
SanDisk ultra

Additional Information (if applicable)

Software title | (EG: Nextcloud)
Certbot
Was the software title installed freshly or updated/migrated?
Can this issue be replicated on a fresh installation of DietPi?
← If you sent a “dietpi-bugreport”, please paste the ID here →
Bug report ID | echo $G_HW_UUID

Steps to reproduce

“dietpi-letsencrypt renew” wasn’t working so used dietpi-letsencrypt “menu”
Something was installed (certbot?) automatically, all my settings were deleted and set to default values.
Setting to back old values (domain & email) didn’t solve the problem.

Expected behaviour

Certificate should be just renewed as it was done about 10 times before.

Actual behaviour

 DietPi-LetsEncrypt
─────────────────────────────────────────────────────
 Mode: Running Certbot

[  OK  ] DietPi-LetsEncrypt | Lighttpd webserver detected
[  OK  ] DietPi-LetsEncrypt | systemctl start lighttpd
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxx.yyy.eu
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xxx.yyy.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 111.222.333.444: Invalid response from http://xxx.yyy.eu/.well-known/acme-challenge/GgCzj7UggBpsm2ETrtPtm-yW17j3F1nXwUU8rcDJRhQ: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxx.yyy.eu
   Type:   unauthorized
   Detail: 111.222.333.444: Invalid response from
   http://xxx.yyy.eu/.well-known/acme-challenge/GgCzj7UggBpsm2ETrtPtm-yW17j3F1nXwUU8rcDJRhQ:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...

—> Lighttpd is running and is reposning to http://xxx.yyy.eu & 111.222.333.444 with the placeholder page.

Extra details

Steps done before the actual status “Failed authorization procedure”:

[ INFO ] DietPi-LetsEncrypt | No webserver detected, running Certbot in standalone mode
80/tcp:
[ SUB1 ] DietPi-Services > stop
[  OK  ] DietPi-Services | stop : cron
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.org
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

→ A webserver is installed and running on port 80 and responding:
“This is a placeholder page installed by the Debian release of the [Lighttpd server package.]”

“:~# service lighttpd stop —> Failed to stop lighttpd.service: Unit lighttpd.service not loaded.”

“:~# killall lighttpd —> lighttpd: No process found”

“:~# dietpi-software reinstall 84”

[  OK  ] DietPi-Software | Initialised database
[  OK  ] DietPi-Software | Reading database

 DietPi-Software
─────────────────────────────────────────────────────
 Mode: Automated reinstall

[ INFO ] DietPi-Software | 84: Lighttpd is not currently installed
[ INFO ] DietPi-Software | Use "dietpi-software install 84" to install Lighttpd.
[  OK  ] DietPi-Software | No changes applied for: Lighttpd
root@DietPi-AdguardHome:~# systemctl restart lighttpd
Failed to restart lighttpd.service: Unit lighttpd.service not found.

dietpi-software —> Selecting “Install” from menu —> Directly this message:
"DietPi-Software —> No changes have been detected. Unable to start installation. "

dietpi-software —> Selecting “UnInstall” from menu:
“92 Certbot / 102 DietPI-RAMlog / 104 Dropbear”
—> Nextcloud (running) for example is missing in the list.

“”:~# dietpi-software install 84"
—> lighttpd was successfully installed (newly).

trendy · 1 January 2025 18:30

What is the output of ss -tunlp | grep :80 ?

Lelo · 1 January 2025 18:51

:~# ss -tunlp | grep :80
tcp     LISTEN   0        4096                   *:80                  *:*       users:(("AdGuardHome",pid=339,fd=6))

trendy · 1 January 2025 18:53

And here is your answer why lighttpd cannot bind to port 80 and certbot is not working.

Lelo · 1 January 2025 19:14

Great that you cam see a reason for the problem. Maybe you can explain it and give a possible solution?

Joulinar · 1 January 2025 19:15

Did you install AGH yourself? Actually its conflicting with web server due to use of port 80

Lelo · 1 January 2025 19:17

Yes, I di it myself. The system was runing with AGH and Lighttpd&LetsEncrypt for over a year.
Today I was getting trouble while I just wanted to renew the certificate.

Joulinar · 1 January 2025 19:18

You would need to configure AGH to use different port than 80

Lelo · 1 January 2025 19:50

Changed the port from “80” to “81” in file " /usr/local/AdGuardHome/AdGuardHome.yaml " and restarted AGH. It is working fine on port 81 now.

:# ss -tunlp | grep :80
tcp     LISTEN   0        1024             0.0.0.0:80            0.0.0.0:*       users:(("lighttpd",pid=31899,fd=4))                             
tcp     LISTEN   0        1024                [::]:80               [::]:*       users:(("lighttpd",pid=31899,fd=5))

Started dietpi-letsencrypt again and still got the error:

Failed authorization procedure. xxx.yyy.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 111.222.333.444: Invalid response from http://xxx.yyy.eu/.well-known/acme-challenge/GgCzj7UggBpsm2ETrtPtm-yW17j3F1nXwUU8rcDJRhQ: 404

Joulinar · 1 January 2025 20:00

Are you able to reach your web server on port 80 from internet using DDNS? Best to test with a mobile phone connected to mobile internet.

Lelo · 1 January 2025 20:06

I don’t know what what you mean with “DDNS”. It’s a Raspi with an DynDNS-Name.
It can be reached by mobilephone on port 80 and 443 with IP and DynNS-Name.

I read in another Linux forum that an affected user uninstalled “certbot” and reinstalled it. after that his problem was solved.
Is this a sensible approach? (“sudo apt-get remove certbot” and “sudo apt autoremove”)

Joulinar · 1 January 2025 20:13

you can use dietpi-software to remove certbot and to install it again. Software ID 92

this

Lelo · 1 January 2025 21:40

I’ve done “dietpi-software uninstall 92” & “dietpi-software uninstall 84”.
Afterwards I did “dietpi-software install 84” & “dietpi-software install 92”.
Sadly the issue remains.

It looks like that the certificate renewal screwed up the system entirely this morning.

Joulinar · 1 January 2025 21:45

Your AGH also has something to do with it, as it hijacked port 80 earlier this day.

Pls can you check and share your current certbot log. Maybe error has been changed a bit.

Lelo · 2 January 2025 20:56

Unfortunately, nothing else had changed in the log. As my certificate expires tomorrow, but I need access, I backed up my data today and reinstalled the device. Problem solved the hard way.

A big “thank you” to Joulinar for your support.